The persistent and evolving nature of cyber threats often means that even the most diligent security patching may not provide the impenetrable defense organizations expect. Fortinet has recently confirmed this unsettling reality by announcing that it is actively working to address a FortiCloud Single Sign-On (SSO) authentication bypass vulnerability, following credible reports of new exploitation activities targeting firewalls that were already fully patched. This development raises serious concerns for network administrators who believed their devices were secure. In a recent statement, Fortinet’s Chief Information Security Officer, Carl Windsor, acknowledged the gravity of the situation, noting that “in the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path.” This activity effectively represents a sophisticated bypass for the security measures initially implemented to resolve vulnerabilities CVE-2025-59718 and CVE-2025-59719, which could permit unauthenticated access via crafted SAML messages when the FortiCloud SSO feature is enabled.
1. The Evolving Threat Landscape
The renewed wave of malicious activity targeting FortiGate appliances has exposed a critical gap in the initial patching efforts, demonstrating the attackers’ ability to adapt and find new avenues of exploitation. Reports began surfacing that malicious SSO logins were being successfully executed against admin accounts on devices that had already received the fixes for the twin CVEs. This pattern of attack is strikingly similar to incidents observed in December, shortly after the initial disclosure of the vulnerabilities, suggesting a persistent and knowledgeable threat actor. The attackers’ methodology is methodical and designed for long-term compromise. It begins with creating generic accounts for persistence, often using innocuous-sounding names like “cloud-noc@mail.io” and “cloud-init@mail.io” to evade detection. Once inside, they proceed to alter system configurations, granting VPN access to these newly created accounts. The final stage involves the exfiltration of entire firewall configurations to various external IP addresses, providing the attackers with a complete blueprint of the network’s security architecture for future campaigns.
2. Proactive Defense Measures
In response to this persistent threat, Fortinet has issued urgent guidance for administrators to secure their network infrastructure against this new attack vector. The company strongly recommends implementing two key mitigations to thwart potential exploitation. First, organizations should immediately restrict administrative access to their edge network devices from the internet by applying a stringent local-in policy. This measure significantly reduces the attack surface, making it much more difficult for external threat actors to reach the vulnerable login interface. Second, and more directly, administrators are urged to disable FortiCloud SSO logins by turning off the “admin-forticloud-sso-login” setting. This action directly addresses the exploited authentication mechanism, closing the door on the currently observed attack method. It is crucial to note Fortinet’s broader warning: while only the FortiCloud SSO implementation has been exploited in the wild so far, the underlying issue is applicable to all SAML SSO implementations. This incident underscored the dynamic and challenging nature of cybersecurity, where initial fixes did not always cover every potential exploit, reinforcing the need for continuous vigilance.
